ACL UserAuth -> User Permissions

User Authentication and Role / ACL based Authorization

It has been 2.5 years since my last work on this code ( UserAuth v0.9.2 )
Since then it was further advanced & supported by Tomcode to v0.9.2t7
This existing code became obsolete with CI 1.6.x

Now working to dust off this legacy code and bring it back onto the open stage.

The existing code base is being upgraded as compatable with CI 1.7.1 and now requires PHP 5.
In addition, a db and model for Roles, the db fields - $acl_role_name, $allow_list, $deny_list.
There is a page being added into the admin section to manage permissions (ACL Lists)

Website is currently offline for software upgrade.
June 14th is the schedule for ACL UserAuth v1.0 alpha.

ACL UserAuth features:

  • Simple usage, User Management System
  • Access Control Lists(ACL) and User Groups
  • Role based Permissions easily configurable
  • Configurable, Inactive Login Expiration
  • "Remember Me" with db backed cookies
  • User, Group & ACL Role Administration
  • Supports table prefixes for db
  • Case-sensitive usernames
  • License is LGPL

ACL UserAuth comes bundled in a Mini-App for a simple demo.

  • Auto-install script for required db tables
  • Application has minimal templates in view
  • Add static content without adding code
  • UI, Tables and Forms are multi-lingual
  • Internationalization, i18n for UserAuth
    - Cookie based, user selection
    - Browser language detect (library files)
       * English, French, German, Polish

Definitions

Users are lumped together into Groups to simplify ACL rules.
- A user belongs to one and only one Group.

The model "User_Group" has two tables, 'users' and 'groups'.
- A mantainance panel is provided in the Admin section of site.

Userauth library is a utility class for session management.
- Uses CI Sessions with a db backed RememberMe Cookie.
- Optional, browser language detect sets session variable.
- 'User' Controller demonstrates usage with a login form.

Roles are ACL based Permissions... Allow & Deny lists.
- These lists are space delimited of users and groups.
- Group names are delimited with an "@".

db Model of Roles managed from the Admin section.
- Users and Groups can belong to multiple Roles.

Rules of ACL Role Permissions

  • An empty list                    ->    permits everyone
  • If only an Allow list            ->    Permits only those on Allow list
  • If only a Deny list              ->    Permits everyone except those Denied
  • If both Allow & Deny lists   ->    Permits those Allowed except those Denied
  • If Role not found in db      ->    Allows a Group of the same name if it exists
                                                   - else permits nobody -> error is logged

                     Groups are defaulted to behave as Roles

API and Usage

  • Required in a controller's constructor to ensure RememberMe

    class The_Controller extends Controller {
       function __construct() {
          parent::__construct();
          $this->useauth->Check();
       }
    }

  • To set Permissions:

    • In a Controller's constructor or functions
          $this->authorize->roleCheck( $role, $redirect_uri );

    • For a block of code or content
          if ( $this->authorize->isRole($role) ) { ..... }

  • "Session variables
    • ua_language -- Selected user language
    • last_activity

  • ACL Userauth files

      - libraries/userauth.php

    • $this->useauth->Check();     // Updates session status
    • $this->useauth->loggedin();  // test logon status
    • $this->useauth->logout();
    • $this->useauth->trylogin( $username, $password );

      - libraries/authorize.php

    • $this->authorize->isRole($role) - Tests username user against ACL list of $role

    • $this->authorize->roleCheck( $role, $redirect_uri ); - Is the same as...
          if( ! $this->authorize->isRole($role) ) { redirect( $redirect_uri); }
          - if $redirect_uri is undefined, user/auth_error is the default

      - libraries/lang_detect.php is used by userauth to detect browser's setting
    • $this->lang_detect->language();

      - libraries/intall.php A script to install fresh or to update version of existing database
    • $this->lang_detect->language();

      - controllers/user.php as used in Mini-App example

    • user/ --> redirect ($this->session->flashdata('uri'));
          Your app might want.. "if login: edit profile, else: login page"

    • user/login --> this uri handles the action from the login form
          In Mini-App the db tables are tested to see if libraries/install.php needs to run.
          Does $this->userauth->trylogin($username, $password), updates RememberMe.
          Goes to a page defined by flashdata or errors to a language adjusted error page.

    • user/logout --> This action handler does $this->userauth->logout();
          and then an option to redirect( $this->session->flashdata('uri') );
          or instead, display a configuable "logout message" at user/

    • user/set_language --> The action for the "language selector" Sets session and cookie
    • user/ -->
    • {$site_url}/user/auth_error --> Default Permission Error Page

      - models/user_group.php
    • $this->user_group->group_this_user();
    • $this->user_group->testLogin($username, $password);


  • - This definition is a work in progress

User Management

The fields that might be needed for your User database, forms for registration and profile,
and the emails for user verification & forgot password; is beyond my scope of this project.

There are multiple examples to be found in CodeIgniter's forums.
        Maybe someone might be so kind as to contribute.